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Reforming the UK GDPR while 
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ONS 4 Executive summary 


DIGITALEUROPE welcomes the comprehensive reflection initiated by the 
UK government around possible future reforms of the UK data protection 
framework.’ The consultation document elaborates on many areas that 
have emerged as central to a successful implementation of the General 
Data Protection Regulation (GDPR), including its UK version.? 


Pivotal to any future reforms of the UK framework must be a consideration as to 
whether the proposed reforms would endanger the continued existence of an 
adequacy finding from the European Commission. 


An adequacy decision does not require a word-by-word replica of EU provisions, 
the test being instead that of ‘essential equivalence.’ In this context, UK reforms 
should focus on preserving the central tenets of the GDPR and clarifying those 
aspects that have proved more difficult in Member States’ implementation as well 
as in data protection authorities’ interpretation of the text. These areas include 
central definitions such as research, the applicability of existing legal bases such 
as legitimate interest and concepts such as anonymisation. 


By contrast, we urge great caution on elements where divergence may cause a 
fundamental reconsideration of the EU’s assessment of the UK system. Any 
perceived benefits from increased flexibility in these areas would be outweighed 
by the likely loss of adequacy status, whose preservation is paramount given the 
UK’s reliance on trade with the EU. 


1 httos://www.gov.uk/government/consultations/data-a-new-direction 


2 For our comprehensive analysis of some of the criticalities around GDPR implementation, see 
Two years of GDPR: A report from the digital industry, available at 
https://www.digitaleurope.org/wp/wp-content/uploads/2020/06/DIGITALEUROPE _Two-years-of- 
GDPR_A-report-from-the-digital-industry.pdf 
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Areas where we urge a reconsideration of the proposals pertain, in particular, to 
rules that will impact onward transfers, the ICO’s independence and the 
accountability framework. 


ONS 4 Table of contents 


è Executive SURIIMANY es iicsiiisssisestcesiceteciaanncentcasecardsadaraansenidaninaiidantcesedend 
* Table of COMGNS sini 
© IMGGUCIOR -ssn 
e A flexible approach grounded in the GDPR............::::cccccesssseseeeeeees 


e Areas of concern for maintaining AdeqUaCY............::::ccceeeeeeeeeeeeees 


3 DIGITALEU ROPE” 


ONS 4 Introduction 


DIGITALEUROPE represents the digital technology industry in Europe. Our 
members include some of the world’s largest IT, telecoms and consumer 
electronics companies and national associations from every part of Europe, 
including the UK. DIGITALEUROPE wants businesses to benefit fully from digital 
technologies and from the trusted free flow of data. 


The future EU-UK relationship depends greatly on the continued free flow of 
personal data, for businesses themselves and for the economic benefits these 
businesses generate. With six in every ten European companies regularly 
engaged in the transfer of data across the Channel as part of their business 
operations in a range of sectors, be it finance, manufacturing or retail,’ the 
importance of maintaining data adequacy and the free flow of personal data for 
European and British businesses is well understood by stakeholders on both 
sides. 


Last May, we published our legal analysis* in support of an adequacy decision 
and welcomed its swift approval thanks to the UK’s strong and continued 
commitment to ensuring high standards of data protection. We gladly note that 
the proposed reforms remain firmly grounded in this approach. 


For any reform of the UK’s data protection regime to be successful, however, it is 
important to clearly identify what elements of the GDPR can be safely modified 
and, on the other hand, what proposed modifications may lead to a negative 
reassessment of the EU’s adequacy decision. 


3 See our Schrems II Impact Survey Report, available at 
httos://www.digitaleurope.org/resources/schrems-ii-impact-survey-report/ 


4 EU-UK data transfers — a legal analysis supporting a swift adequacy decision, available at 
https://www.digitaleurope.org/resources/eu-uk-data-transfers-a-legal-analysis-supporting-a-swift- 


adequacy-decision/ 
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A flexible approach grounded in the GDPR 


Building on the recognition that the UK system currently delivers the required 
level of protection thanks to effective implementation, supervision and 
enforcement of data protection rights, the UK’s data reform consultation lays out 
several proposals of areas where the GDPR allows for more flexibility. 


These proposed changes could clarify uncertain interpretations of the text and 
contribute to a more competitive economy that continues to respect the essence 
of data protection rights. We welcome further flexibility proposed in the review in 
the following areas: 


>> Research: We support the aim of further clarifying the conditions around 
data processing for research purposes. Clearer definitions and guidance 
as to how data can be used by researchers could significantly increase 
the attractiveness of conducting research, thus promoting innovation. Of 
note, the creation of a statutory definition of ‘scientific research’ may lead 
to greater certainty surrounding which purposes are covered. In this 
context, a more explicit articulation of the broad interpretation already 
contained in Recital 159 GDPR, including the role played by industry, 
would be beneficial. This could be accompanied by a more explicit 
recognition of appropriate safeguards, including not only security but also 
contractual measures. 


>> Legitimate interest: We agree with the suggested approach to providing 
greater clarity as to what can be considered as a legitimate interest by 
expanding the list of examples in the text of the law.® A list of legitimate 
interests for which organisations can use personal data without having to 
apply a balancing test, because such legitimate interest can most logically 
be presumed, would help clarify the important role that this legal basis 
plays in ensuring worthy processing operations can take place without 
undue burden.’ This can also include sensitive data, subject to 
appropriate safeguards. 


5 See our recent paper Making the most of the GDPR to advance health research, available at 
https://www.digitaleurope.org/wp/wp-content/uploads/2021/06/Making-the-most-of-the-GDPR-to- 
advance-health-research_ DIGITALEUROPE.pdf 


6 Note that examples where legitimate interest can be presumed are already present in Recitals 47- 
49 GDPR, and an expanded list contained in normative provisions is perfectly in line with the 
current GDPR approach. 


7 On legitimate interest, see in particular our Response to EDPB consultation on video devices, pp. 
4-5, available at https://www.digitaleurope.org/wp/wp-content/uploads/2019/09/DIGITALEUROPE- 
response-to-EDPB-consultation-on-video-devices.pdf 
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Anonymous data and anonymisation: Clarification as to the test for 
when data can be reasonably considered anonymous, and processing 
therefore does not impact data subject rights, would be hugely beneficial. 
At the same time, it is important that this test prioritise a flexible definition. 
We would welcome both clear guidance on how to anonymise data and 
practical examples of cases when data may be considered anonymous, 
for instance within health-related datasets.® 


Areas of concern for maintaining adequacy 


Beyond proposals that aim for further flexibility while remaining aligned with the 
GDPR, we also note areas of concern where a more cautious approach is 
necessary. 


In particular, pursuing the following proposals could go to the core of the EU’s 
adequacy assessment and cause a negative review of the European 
Commission’s adequacy decision: 


> 


> 


International transfers: The UK currently holds an internationally 
recognised high standard for data protection. A robust process for 
adequacy assessment is key for the UK to maintain its status as a trusted 
jurisdiction and international partner and as hub for international data 
flows. The EU has already voiced concerns over the potential of the UK 
becoming a conduit for the onward transfer of data from the UK to third 
countries. Proposals aiming to subject onward transfers from the UK to 
the rest of the world to a considerably lower standard than that mandated 
under the GDPR can safely be expected to be a central consideration ina 
possible negative revision of the EU’s adequacy decision. 


The role of the ICO: Requiring the ICO to align its international work to 
UK government policy will be perceived as negatively affecting the ICO’s 
independence. The proposed introduction of a statement of ICO priorities 
by the Secretary of State would compromise the ICO’s independence 
through what could be perceived as a government mandate. The 
presence of an independent enforcer is a precondition of effective 
protection in adequacy determinations.° In addition to EU adequacy, this 
may harm the ICO’s standing as it seeks to take part in global data flows 
discussions. 


8 In addition to our paper mentioned in footnote 3, see our Response to EDPB draft Guidelines on 
connected vehicles and mobility-related applications, pp. 3-4, available at 
https://www.digitaleurope.org/wp/wp-content/uploads/2020/05/DIGITALEUROPE-Response-to- 
EDPB-draft-quidelines-on-connected-vehicles-and-mobility-related-applications-542020.pdf 


° See notably Recital 104 and Art. 45(2)(b) GDPR. 
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>> Accountability: Facilitating compliance while reducing obligations on 
organisations that only serve the purpose of fulfilling a legal obligation, 
but do not contribute to better protection, is an important objective that we 
welcome in the review. Despite this, it must be considered that 
companies have already undergone significant effort in adapting to and 
complying with data protection requirements, and any major 
readjustments are likely to incur further cost. Most importantly, the 
complete removal of central GDPR obligations such as the appointment 
of data protection officers, data protection impact assessments or breach 
notification may very negatively impact a future adequacy review. We 
also note that concerns around facilitating compliance can be addressed 
by means of adequate ICO guidance"? and by making better use of 
instruments such as codes of conduct and certification that are already 
contained in the GDPR." 


>> Legitimate interest: While we largely support the proposal to expand on 
the list of processing purposes that can be presumed as legitimate 
interest, it is important to ensure alignment with the notion and purpose of 
this legal basis in the current GDPR text. Any major divergence may 
negatively impact organisations that already rely on this legal basis under 
the GDPR. We note that the list of suggested legitimate interests currently 
adheres to this approach and urge that such alignment should be 
maintained. 


>> Aland machine learning: We support the focus given to Al and machine 
learning in the data protection review, particularly as to how unclarity 
around the concept of fairness may negatively impact the development of 
Al systems. However, we urge that the horizontal nature of the GDPR be 
maintained and that any improvements to the UK framework should be 
directed at clarifying central aspects around definitions and the 
applicability of legal bases, as opposed to creating new ad hoc provisions 
such as specific transparency reporting. '2 


10 https://ico.org.uk/for-organisations/accountability-framework/ 

11 See our Response to public consultation on draft EDPB Guidelines on codes of conduct and 
monitoring bodies, available at httos://www.digitaleurope.org/wp/wp- 
content/uploads/2019/04/DIGITALEUROPE -response-to-draft-EDPB-guidelines-on-codes-of- 
conduct-and-monitoring-bodies.pdf, and DIGITALEUROPE response to EDPB consultation on 
draft guidelines on certification, available at https://www.digitaleurope.org/wp/wp- 
content/uploads/2019/01/DIGITALEUROPE%20response%20to%20EDPB%20consultation%200 
n%20draft*%20quidelines%200n%20certification.pdf 


12 As proposed in Section 4.4 of the consultation document 
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FOR MORE INFORMATION, PLEASE CONTACT: 


kx Alberto Di Felice 


Director for Infrastructure, Privacy and Security Policy 


alberto.difelice@digitaleurope.org / +32 471 99 34 25 


ía Luke Makris 


Officer for International Outreach Policy 


luke.makris@digitaleurope.org / +32 493 259 222 
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About DIGITALEUROPE 


| 
DIGITALEUROPE represents the digital technology industry in Europe. Our members include l 
some of the world’s largest IT, telecoms and consumer electronics companies and national l 
associations from every part of Europe. DIGITALEUROPE wants European businesses and l 
citizens to benefit fully from digital technologies and for Europe to grow, attract and sustain the l 
world’s best digital technology companies. DIGITALEUROPE ensures industry participation in l 
the development and implementation of EU policies. 
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Bristol-Myers Squibb, Brother, Canon, Cisco, DATEV, Dell, Dropbox, Eli Lilly and Company, Epson, 
Ericsson, ESET, EY, Facebook, Fujitsu, GlaxoSmithKline, Global Knowledge, Google, Graphcore, Hewlett 
Packard Enterprise, Hitachi, HP Inc., HSBC, Huawei, Intel, Johnson & Johnson, Johnson Controls 
International, JVC Kenwood Group, Konica Minolta, Kyocera, Lenovo, Lexmark, LG Electronics, Mastercard, 
Microsoft, Mitsubishi Electric Europe, Motorola Solutions, MSD Europe Inc., NEC, Nemetschek, NetApp, 
Nokia, Nvidia Ltd., Oki, OPPO, Oracle, Palo Alto Networks, Panasonic Europe, Philips, Pioneer, Qualcomm, 
Red Hat, ResMed, Ricoh, Roche, Rockwell Automation, Samsung, SAP, SAS, Schneider Electric, Sharp 
Electronics, Siemens, Siemens Healthineers, Sky CP, Sony, Sopra Steria, Swatch Group, Technicolor, 
Texas Instruments, TikTok, Toshiba, TP Vision, UnitedHealth Group, Visa, Vivo, VMware, Waymo, Workday, 
Xerox, Xiaomi, Zoom. 


National Trade Associations 


Austria: |OO Germany: bitkom, ZVEI 


Belarus: INFOPARK 
Belgium: AGORIA 

Croatia: Croatian 

Chamber of Economy 
Cyprus: CITEA 

Denmark: DI Digital, IT 
BRANCHEN, Dansk Erhverv 
Estonia: ITL 

Finland: TIF 

France: AFNUM, SECIMAVI, 
numeum 


Greece: SEPE 

Hungary: IVSZ 

Ireland: Technology Ireland 
Italy: Anitec-Assinform 
Lithuania: INFOBALT 
Luxembourg: APSI 
Moldova: ATIC 
Netherlands: NLdigital, FIAR 
Norway: Abelia 

Poland: KIGEIT, PIIT, ZIPSEE 
Portugal: AGEFE 


Romania: ANIS 

Slovakia: ITAS 

Slovenia: ICT Association of 
Slovenia at CCIS 

Spain: AMETIC 

Sweden: TechSverige, 
Teknikföretagen 
Switzerland: SWICO 
Turkey: Digital Turkey Platform, 
ECID 

United Kingdom: techUK 


